Skip to content

Commit

Permalink
* #427: Excluded transitive org.apache.httpcomponents:httpclient de… (
Browse files Browse the repository at this point in the history
#429)

* #427: Excluded transitive `org.apache.httpcomponents:httpclient` dependency to avoid CVE-2020-13956, removed warnings from pom file
  • Loading branch information
AnastasiiaSergienko committed Dec 9, 2020
1 parent e09faf3 commit 3c21a89
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 19 deletions.
9 changes: 7 additions & 2 deletions doc/changes/changes_4.0.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

Code name:

## Bug Fixes

* #427: Excluded transitive `org.apache.httpcomponents:httpclient` dependency to avoid CVE-2020-13956.

## Documentation

* #408: Removed PostgreSQL dialect documentation as it has been migrated to https://github.com/exasol/postgresql-virtual-schema.
Expand All @@ -16,6 +20,7 @@ Code name:

## Dependency updates

* Removed org.postgresql:postgresql:42.2.18
* Removed org.testcontainers:postgresql:1.15.0
* Updated `com.exasol:virtual-schema-common-jdbc:7.0.0` to `8.0.0`
* Removed `org.postgresql:postgresql:42.2.18`
* Removed `org.testcontainers:postgresql:1.15.0`
* Removed `org.apache.httpcomponents:httpclient`
69 changes: 52 additions & 17 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,10 @@
<scope>test</scope>
<!--Excluding transient dependencies with vulnerabilities-->
<exclusions>
<exclusion>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
Expand Down Expand Up @@ -173,6 +177,12 @@
<artifactId>libthrift</artifactId>
<version>0.13.0</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Overrides Junit 4.12 which is used in test containers but contains a security issue:
https://ossindex.sonatype.org/vuln/7ea56ad4-8a8b-4e51-8ed9-5aad83d8efb1 -->
Expand All @@ -189,6 +199,10 @@
<scope>test</scope>
<!--Excluding transient dependencies with vulnerabilities-->
<exclusions>
<exclusion>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
Expand Down Expand Up @@ -321,7 +335,7 @@
<descriptors>
<descriptor>assembly/all-dependencies.xml</descriptor>
</descriptors>
<finalName>virtual-schema-dist-${vscjdbc.version}-bundle-${version}</finalName>
<finalName>virtual-schema-dist-${vscjdbc.version}-bundle-${project.version}</finalName>
<appendAssemblyId>false</appendAssemblyId>
</configuration>
<executions>
Expand Down Expand Up @@ -356,35 +370,28 @@
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.1.0</version>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.8.1</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>audit</goal>
<goal>display-plugin-updates</goal>
<goal>display-dependency-updates</goal>
</goals>
</execution>
</executions>
<configuration>
<excludeVulnerabilityIds>
<!-- Ignores CVE-2020-15250, because we use Java 11 and junit 4.13.1 which contains a fix:
https://ossindex.sonatype.org/vuln/7ea56ad4-8a8b-4e51-8ed9-5aad83d8efb1 -->
<exclude>7ea56ad4-8a8b-4e51-8ed9-5aad83d8efb1</exclude>
</excludeVulnerabilityIds>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.7</version>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>display-plugin-updates</goal>
<goal>display-dependency-updates</goal>
<goal>audit</goal>
</goals>
</execution>
</executions>
Expand Down Expand Up @@ -427,5 +434,33 @@
</configuration>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>3.0.0-M1</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>3.0.0-M1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.2.0</version>
</plugin>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.2.0</version>
</plugin>
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.9.1</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>

0 comments on commit 3c21a89

Please sign in to comment.